It is a good practice to identify a cybersecurity framework as part of an institution’s Information Security Program. A framework helps to identify gaps that might exist and leave the institution vulnerable. But there are numerous frameworks available, and many institutions have trouble deciding which framework is best for them. Today we will look primarily at two of the common frameworks (NIST and FFIEC CAT) to help institutions choose which will work best for them.
Many cybersecurity professionals will quickly state that an organization should adapt NIST as its cybersecurity framework. NIST is the National Institute of Standards and Technology, an organization that was created in 1901 to help design standards by which things could be measured. In 2005, NIST released a catalog of controls called Special Publication 800-53 (or “SP 800-53”), “Recommended Security Controls for Federal Information Systems”.
This publication was designed to be the framework used for US federal agencies, but also has value for non-government agencies. SP 800-53 continues to be updated and is today comprised of over 1,000 potential controls, with guidance provided regarding which controls are appropriate at varying risk levels. Using SP 800-53 as the framework of an institution can lead to control fatigue based on the sheer number of controls in the framework.
In 2013, NIST provided a second framework called the NIST CSF. This framework provided more structure to how controls were organized and prioritized, and also added cross-references to SP 800-53 as well as other popular frameworks (COBIT, ITIL, etc.). The NIST CSF has since become the primary framework used by most organizations that state they use a NIST framework.
Those who have experience in the financial services industry will often use the FFIEC Cybersecurity Assessment Toolkit (CAT) or the NCUA Automated Cybersecurity Examination Tool (ACET) as their primary framework (these two tools are substantially the same). The CAT and ACET are made up of 494 controls (called “statements”) spread out over five maturity levels. 151 of the statements in the CAT are loosely based on NIST CSF.
But in addition to the NIST controls, there are 343 statements that are based on FFIEC guidance and are not included in NIST. Institutions can focus on the controls that are needed to meet the next level of maturity.
When we are working with customers, we urge them to initially use the FFIEC CAT as their framework, as this means the institution will meet the FFIEC expectations of their regulators as well as remediate the most important NIST controls. As institutions grow in maturity, they can consider going deeper into NIST or adding other available frameworks (COBIT, ITIL, ISO, etc.).
If your institution needs help in choosing a framework, please do not hesitate to reach out! Email us any time at support@bedelsecurity.com.
Additional Resources:
Herding CATs
https://www.bedelsecurity.com/blog/herding-cats
Awareness: Understand the Options for Maturing Your Cybersecurity
https://www.bedelsecurity.com/blog/awareness-understand-the-options-for-maturing-your-cybersecurity
Five Tips for a Healthy CAT Experience
https://www.bedelsecurity.com/blog/five-tips-for-a-healthy-cat-experience
The Bedel Security Cybersecurity Assessment Tool
https://www.bedelsecurity.com/lp-cybersecurity-assessment-tool
5 Things to Know About the New NCUA Automated Cybersecurity Examination Tool
https://www.bedelsecurity.com/blog/5-things-to-know-about-the-new-ncua-automated-cybersecurity-examination-tool